Security: Maintenance

This article is a collection of material from different sources. I take neither credit nor blame for the ideas--only for putting them together. It is a work in progress and will be updated from time to time

As soon a security is mentioned in relation to a computer most of us think of viruses. Even though there is no known virus for Mac OS X, apart from a relatively weak trojan called Oompa Loompa, as soon as we hear the word virus, we load up our computers with anti-virus software, sometimes to the detriment of our macs.

Mac OS X comes with a number of excellent built in security features, about which most of us mac users know little and use less. So rather than talking about viruses or anti-virus software, let us think of Maintenance, safe practices and OS Hardening as the best line of defence in Mac OS Security.

Maintenance
The first line of defense in terms of protecting our valuable data is good maintenance. When your computer crashes it may already be too late. Gulliver, a poster in Apple Discussions, says

Most installation and update problems seem to be caused by issues that existed already before the update and became worse, or appeared first after the update/installation. There is consensus that one should never run an upgrade on a system that already has problems.

Here are some maintainance practices that can help you avoid a number of issues:
*Repair Disk Permissions before and after installing new software, including software updates.
*If you have to force-shutdown or force-restart your computer run fsck at the next restart. For directions on how to do this procedure see Using Disk Utility and fsck for file system maintenance in Mac OS X. This may not be necessary if your hard disk drive is Journaled.

*Backup Regularly
Dr. Smoke says, in his chapter on Backup and Recovery in the X Lab linked below,

Unfortunately, too many folks never realize the value of a comprehensive backup and recovery solution until after disaster has struck. Of course, by then, it's too late. We believe that using a personal computer without a comprehensive backup and recovery solution is like driving without auto insurance.

Backup and Recovery.

Although Dr. Smoke highly recommends backup software Retropect, I have found it a bit difficult to use, and most of the time I rely on Carbon Copy Cloner, Super Duper, Deja Vu, and, of course, Apple's own Disk Utility bundled with OS X software. If you have Retrospect and can use it effectively, it is a good software package. However, using a cloner is better than no backup at all.

Further Reading on Backups: Mac OS X data backup FAQ

*Run Unix Maintenance or CRON cleaning regularly. Software like MacJanitor and Cocktail are easy to use and allow you to run scripts daily, weekly, or monthly. I use Macaroni which automates the entire process for less than $10.

*Directory Repair and Maintenance. I use Tech Tool Pro at least monthly to run hardware diagnostics, do directory maintenance and optimization. Many users prefer Disk Warrior for Directory Maintenance. Both are excellent tools.

There is some debate around the need to run defragmentation software. Here is what Apple says about it.

Further resources:
Panther Maintenance Tips
OS X Routine Maintenance and Generic Troubleshooting
Prevent Mac Disasters

See also
Security: Safe Practices
Security: OS Hardening

Security: Safe Practices

This article is a collection of material from different sources. I take neither credit nor blame for the ideas--only for putting them together. It is a work in progress and will be updated from time to time

The mac user is one of the greatest security features on the mac. Developing safe practices can help secure your mac from “intruders” of many kinds. Here are some tips on safe practices which can help you do that.

Set you email account Options to exclusive, or whatever the designation is, so that all email from senders not in your address book will go into a "bulk or junk mail" folder. Junk email should be treated as such, junk. If you don’t recognize the sender, delete the email.

Don’t fall for hoaxes. Check them on Google by typing the title with the word "hoax" at the end. Always check out forwarded stories before forwarding.

Restrain the urge to forward everything. If you must forward be discriminating and recipient specific. This is not only a courtesy to your recipients, but it might protect them from viruses or trojans, especially if they do not have the protection of Mac OS X. If forwarding to multiple recipients, use Bcc. (blind copy) so as not to publish your recipients' email addresses to the world.

Beware of “phishing”, emails that look like they come from legitimate sources, with websites that look authentic, but are not. If you have an account with that agency go to their secure website and click on "Contact Us", or similar link and check the authenticity of the communication you received.

Do not download files from sources you are not certain you can trust, and, even if you do, do not authenticate to install unless you know what you are about to install.

Do not give out any more information than you need to give out.
• You probably don’t even have accounts with the banks, firms, etc., sending the E-mails.
• Even if you did, banks and legitimate businesses send you security warnings via paper letters sent through the postal system, not via E-mail.
• You probably have never told your bank your e-mail address. If you do on-line banking, some computer somewhere knows your e-mail address, but this is not the same as the bank itself. The bank will contact you via postal letter.
• If a Web site demands a name and e-mail address before it gives you, say, a free Acrobat document on computer security, make one up. A good one to use is the mythical william.gates@msn.com living in the mythical town of Redmond, WA.
• If you must give valid information to, say, your bank, limit what you give out. A web site has no need of your Social Security number, or your mother’s maiden name, or your birth date.
• Keep in mind that firms often sell information they collect. So if a site absolutely insists on a bunch of irrelevant personal information, make it up. You won’t mind them selling fiction to someone else.
• One common data harvesting technique used by legitimate sites is the personal question with personal answer technique, used for verifying identity of lost passwords and such. In this technique – entirely legitimate – the site might ask for your birth date. But since the business might sell the birth date, don’t give them your birth date. Give the birth date of your pet hamster. Or see if the site accepts “chocolate” as a birth date. Everyone knows things go better with chocolate.

See also
Security: Maintenance
Security: OS Hardening

Security: OS Hardening

After you started up your new computer with OS X, or after installing OS X, the computer led you through a processing of setting up your computer. You set up an Admin User, and selected a password. However, for everyday use you don’t need to run as an Admin User. A Standard account will do fine, and it is more secure.

a. Create a new Admin Account
Most likely you have already set up your account, and just as likely it's an admin account. What do you do? In Mac OS X, changing this is relatively easy. Let’s assume you have one account on your computer and it's an admin account. Here’s how you change it:
•Go to the Apple Menu > System Preferences> Accounts. Click on Accounts.
•Click the (+) under Login Options to add an account.
•Check the box to let that user "Allow User to administer this computer." You are temporarily creating a second admin account. Be sure you give it a good password and that you remember it! (More about passwords later, but just choose one now, you can change it later.)
•Log out by going to the Apple Menu and select Logout whoever at the very bottom of the list.
•Go back to System Preferences > Accounts, and find your original user.
•Uncheck the box for that account that allows it to administer the computer. You've now changed your regular account into a Standard user account and you've created a new admin account that you'll hardly ever use. That's the point: only use the admin account when you absolutely need to.
•Disable Automatic Login.
Make sure Automatic Login box is unchecked.
Instead choose to have the Name and Password box checked.
List of Users provides too much information and is not as secure.

b. Turn ON your Firewall!
•Go to System Preferences > Sharing.
•Open Sharing and Click on Firewall.
•Turn on Firewall
•Click on Advanced then click on Stealth mode.


c. Turn ON Automatic updates!
•Apple Menu > System Preferences > Software Update.
•Check the box so this runs, preferably DAILY, if your internet connection can handle it.

d. Turn OFF "Open 'Safe' Files After Downloading
The most recent security hole exploits the fact that many people leave this checked.
Go to Safari > Preferences, and on the General tab, uncheck "Open 'Safe' Files After Downloading box.

e. Block Pop-ups in Safari!
•Safari Menu > Block Pop-up Windows

f. Use Firefox
*Download Firefox
•Go to the Tools Menu and open Extensions.
•Download AdBlock. This feature gives you control over what sites will load and how often and how much you want to load.

g. Avoid using Internet Explorer. You have very little control over it, and it is less secure that either Safari or Firefox.

If you are UNIX savvy there are various other options available. If you are interested, check out the Corsaire White Papers linked below. However, this article is intended for the average user, for whom the above measures should provide a reasonably secure computing environment.

See also
White Papers on Securing Mac OS
Security: Maintenance
Security: Safe Practices

Basic Requirements for Installing Panther or Tiger

-Macintosh with a PowerPC G3, G4, or G5 processor
-Built-in USB
-At least 128MB of physical RAM
-Built-in display or a display connected to an Apple-supplied video card supported by your computer

Repair Disk Permissions

Repair Disk Permissions (Applications > Utilities > Disk Utility. Select your HDD (manufacturer ID) in left column and First Aid in main column. Click Repair Disk Permissions at bottom left.)

Repair Disk

Repair Disk (Insert Installer disk and Restart, holding down the "C" key. When booted from the installer disk go to the Installer Menu and select Disk Utility. Select your HDD (manufacturer name) in the left panel and First Aid in the Main panel. Click Repair Disk on the bottom right. If DU reports errors run Repair again, and again until no errors are reported.
If DU reports errors it cannot repair you will need to use a third party utiity like Tech Tool Pro or Disk Warrior)

Reset PRAM

1. Shut down the computer.
2. Locate the following keys on the keyboard: Command, Option, P, and R. You will need to hold these keys down simultaneously in step 4.
3. Turn on the computer.
4. Press and hold the Command-Option-P-R keys. You must press this key combination before the gray screen appears.
5. Hold the keys down until the computer restarts and you hear the startup sound for the second time.
6. Release the keys.

Your computer's PRAM and the NVRAM are reset to the default values. The clock settings may be reset to a default date on some models.

Tiger from OS 9

This process will completely erase everything on your Hard Disk Drive. Be sure to Backup your User Folder and all third party apps you can't afford to lose
1. Boot from your OS 9 install CD holding down C key.
2. Go to Drive Setup and reformat your drive as Mac OS Extended (HFS+)
2. Reinstall OS 9
3. Update to 9.2.2: Mac OS 9: Available Updates
4. Upgrade your firmware
5. Boot from the 10.4.x install disk
6. Go to Utilities Menu and open Disk Utility
7. Repair Permissions!
8. Install Mac OS X 10.4.x
9. Restart and Repair Disk Permissions (Applications > Utilities > Disk Utility)!
10. Download and apply the Mac OS X Update 10.4.x (Combo)
11. Restart and Repair Disk Permissions (Applications > Utilities > Disk Utility)!
12. Run Software Update and apply all updates available
13. Repair Disk Permissions (Applications > Utilities > Disk Utility)

Clean Panther installation with OS 9

This process will completely erase everything on your Hard Disk Drive. Be sure to Backup your User Folder and all third party apps you can't afford to lose
1. Boot from your OS 9 install CD holding down C key.
2. Go to Drive Setup and reformat your drive as Mac OS Extended (HFS+)
2. Reinstall OS 9
3. Update to 9.2.2: Mac OS 9: Available Updates
4. Upgrade your firmware
5. Boot from the 10.3.x install CD 1
6. Go to Installer Menu and open Disk Utility
7. Repair Disk Permissions!
8. Install Mac OS X 10.3.x
9. Restart and Repair permissions (Applications > Utilities > Disk Utility)!
10. Download and apply the Mac OS X Update 10.3.9 (Combo)
11. Restart and Repair permissions!
12. Run Software Update and apply all updates available
13. Repair Disk Permissions (Applications > Utilities > Disk Utility)!

Security: Maintenance, Safe Practices, OS Hardening

This article is a collection of material from different sources. I take neither credit nor blame for the ideas--only for putting them together. It is a work in progress and will be updated from time to time

As soon a security is mentioned in relation to a computer most of us think of viruses. Even though there is no known virus for Mac OS X, apart from a relatively weak trojan called Oompa Loompa, as soon as we hear the word virus, we load up our computers with anti-virus software, sometimes to the detriment of our macs.

Mac OS X comes with a number of excellent built in security features, about which most of us mac users know little and use less. So rather than talking about viruses or anti-virus software, let us think of Maintenance, safe practices and OS Hardening as the best line of defence in Mac OS Security.

Maintenance
The first line of defense in terms of protecting our valuable data is good maintenance. When your computer crashes it may already be too late. Gulliver, a poster in Apple Discussions, says

Most installation and update problems seem to be caused by issues that existed already before the update and became worse, or appeared first after the update/installation. There is consensus that one should never run an upgrade on a system that already has problems.

Here are some maintainance practices that can help you avoid a number of issues:
*Repair Disk Permissions before and after installing new software, including software updates.

*Backup Regularly
Dr. Smoke says, in his chapter on Backup and Recovery in the X Lab linked below,

Unfortunately, too many folks never realize the value of a comprehensive backup and recovery solution until after disaster has struck. Of course, by then, it's too late. We believe that using a personal computer without a comprehensive backup and recovery solution is like driving without auto insurance.

Here is the link: Backup and Recovery Although Dr. Smoke highly recommends backup software Retropect, I have found it a bit difficult to use, and most of the time I rely on Carbon Copy Cloner, Super Duper, Deja Vu, and, of course, Apple's own Disk Utility bundled with OS X software. If you have Retrospect and can use it effectively, it is a good software package. However, using a cloner is better than no backup at all.

Further Reading on Backups:
Mac OS X data backup FAQ

*Run Unix Maintenance or CRON cleaning regularly. Software like MacJanitor and Cocktail are easy to use and allow you to run scripts daily, weekly, or monthly. I use Macaroni which automates the entire process for less than $10.

*Directory Repair and Maintenance. I use Tech Tool Pro at least monthly to run hardware diagnostics, do directory maintenance and optimization. Some users prefer Disk Warrior for Directory Maintenance. Both are excellent tools.

There is some debate around the need to run defragmentation software. Here is what Apple says about it.

Further resources:
Panther Maintenance Tips
OS X Routine Maintenance and Generic Troubleshooting
Prevent Mac Disasters


Safe Practices
The mac user is one of the greatest security features on the mac. Developing safe practices can help secure your mac from many “intruders.”

Junk email should be treated as such, junk. If you don’t recognize the sender, delete the email.

Don’t fall for hoaxes. Check them on Google by typing the title with the word "hoax" at the end. Always check before forwarding.

Restrain the urge to forward everything. If you must forward be discriminating and recipient specific. If forwarding to multiple recipients, use Bcc. (blind copy) so as not to publish your recipients email address to the world.

Beware of “phishing”, emails that look like they come from genuine sources, with websites that look authentic, but are not. If you have an account with that agency go to their website and click on "Contact Us", or similar link and check the authenticity of the communication you received.

Do not download files from sources you don’t know you can trust, and, even if you do, do not authenticate to install unless you know what you are about to install.

Do not give out any more information than you need to give out.
• You probably don’t even have accounts with the banks, firms, etc., sending the E-mails.
• Even if you did, banks and legitimate businesses send you security warnings via paper letters sent through the postal system, not via E-mail.
• You probably have never told your bank your E-mail address. If you do on-line banking, some computer somewhere knows your E-mail address, but this is not the same as the bank itself. The bank will contact you via postal letter.
• If a Web site demands a name and E-mail address before it gives you, say, a free Acrobat document on computer security, make one up. A good one to use is the mythical william.gates@msn.com living in the mythical town of Redmond, WA.
• If you must give valid information to, say, your bank, limit what you give out. A Web site has no need of your Social Security number, or your mother’s maiden name, or your birth date.
• Keep in mind that firms often sell information they collect. So if a site absolutely insists on a bunch of irrelevant personal information, make it up. You won’t mind them selling fiction to someone else.
• One common data harvesting technique used by legitimate sites is the personal question with personal answer technique, used for verifying identity of lost passwords and such. In this technique – entirely legitimate – the site might ask for your birth date. But since the business might sell the birth date, don’t give them your birth date. Give the birth date of your pet hamster. Or see if the site accepts “chocolate” as a birth date. Everyone knows things go better with chocolate.

OS Hardening<

After you started up your new computer with OS X, or after installing OS X, the computer led you through a processing of setting up your computer. You set up an Admin User, and selected a password. However, for everyday use you don’t need to run as an Admin User. A Standard account will do fine, and it is more secure.

a. Create a new Admin Account
Most likely you have already set up your account, and just as likely it's an admin account. What do you do? In Mac OS X, changing this is relatively easy. Let’s assume you have one account on your computer and it's an admin account. Here’s how you change it:
•Go to the Apple Menu > System Preferences> Accounts. Click on Accounts.
•Click the (+) under Login Options to add an account.
•Check the box to let that user "Allow User to administer this computer." You are temporarily creating a second admin account. Be sure you give it a good password and that you remember it! (More about passwords later, but just choose one now, you can change it later.)
•Log out by going to the Apple Menu and select Logout whoever at the very bottom of the list.
•Go back to System Preferences > Accounts, and find your original user.
•Uncheck the box for that account that allows it to administer the computer. You've now changed your regular account into a Standard user account and you've created a new admin account that you'll hardly ever use. That's the point: only use the admin account when you absolutely need to.
•Disable Automatic Login.
Make sure Automatic Login box is unchecked.
Instead choose to have the Name and Password box checked.
List of Users provides too much information and is not as secure.

b. Turn ON your Firewall!
•Go to System Preferences > Sharing.
•Open Sharing and Click on Firewall.
•Turn on Firewall
•Click on Advanced then click on Stealth mode.


c. Turn ON Automatic updates!
•Apple Menu > System Preferences > Software Update.
•Check the box so this runs, preferably DAILY, if your internet connection can handle it.

d. Turn OFF "Open 'Safe' Files After Downloading
The most recent security hole exploits the fact that many people leave this checked.
Go to Safari > Preferences, and on the General tab, uncheck "Open 'Safe' Files After Downloading box.

e. Block Pop-ups in Safari!
•Safari Menu > Block Pop-up Windows

f. Use Firefox
*Download Firefox
•Go to the Tools Menu and open Extensions.
•Download AdBlock. This feature gives you control over what sites will load and how often and how much you want to load.

g. Avoid using Internet Explorer. You have very little control over it, and it is less secure that either Safari or Firefox.

If you are UNIX savvy there are various other options available. However, as this article is intended for the average user, for whom the above measures should provide a much more secure computing environment.